| From 6ebec961d59bccf65d08b13fc1ad4e6272a89338 Mon Sep 17 00:00:00 2001 |
| From: Yi Zeng <yizeng@asrmicro.com> |
| Date: Wed, 9 Jan 2019 15:33:07 +0800 |
| Subject: i2c: dev: prevent adapter retries and timeout being set as minus value |
| |
| From: Yi Zeng <yizeng@asrmicro.com> |
| |
| commit 6ebec961d59bccf65d08b13fc1ad4e6272a89338 upstream. |
| |
| If adapter->retries is set to a minus value from user space via ioctl, |
| it will make __i2c_transfer and __i2c_smbus_xfer skip the calling to |
| adapter->algo->master_xfer and adapter->algo->smbus_xfer that is |
| registered by the underlying bus drivers, and return value 0 to all the |
| callers. The bus driver will never be accessed anymore by all users, |
| besides, the users may still get successful return value without any |
| error or information log print out. |
| |
| If adapter->timeout is set to minus value from user space via ioctl, |
| it will make the retrying loop in __i2c_transfer and __i2c_smbus_xfer |
| always break after the the first try, due to the time_after always |
| returns true. |
| |
| Signed-off-by: Yi Zeng <yizeng@asrmicro.com> |
| [wsa: minor grammar updates to commit message] |
| Signed-off-by: Wolfram Sang <wsa@the-dreams.de> |
| Cc: stable@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/i2c/i2c-dev.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/drivers/i2c/i2c-dev.c |
| +++ b/drivers/i2c/i2c-dev.c |
| @@ -461,9 +461,15 @@ static long i2cdev_ioctl(struct file *fi |
| return i2cdev_ioctl_smbus(client, arg); |
| |
| case I2C_RETRIES: |
| + if (arg > INT_MAX) |
| + return -EINVAL; |
| + |
| client->adapter->retries = arg; |
| break; |
| case I2C_TIMEOUT: |
| + if (arg > INT_MAX) |
| + return -EINVAL; |
| + |
| /* For historical reasons, user-space sets the timeout |
| * value in units of 10 ms. |
| */ |